IEEE member and 18-year Hyundai and Kia veteran Geol Kang reveals the multi-layer framework now adopted across automotive affiliates
Cybersecurity incidents in connected vehicles jumped from 5% to 19% in just one year, effectively tripling attack rates, according to Upstream Security’s 2025 report. With modern cars functioning as mobile data centers loaded with sensors, software, and constant connectivity, a single breach could disable millions of vehicles, cripple supply chains, or shut down entire EV charging networks.
Geol Kang witnessed this vulnerability firsthand during a large-scale credential stuffing incident that targeted his company’s connected car application platform, resulting in excessive authentication requests and temporary performance degradation. The attack could have disrupted services for millions of drivers. Instead, his multi-layer defense architecture detected anomalies, redirected malicious traffic, and activated containment protocols, all without users noticing any disruption. This incident validated 18 years of work transforming automotive cybersecurity from reactive patches to predictive resilience.
Since joining Hyundai AutoEver in 2008, Kang has engineered remarkable improvements: cloud defense effectiveness from below 10% to over 90%, Web Application Firewall (WAF) deployment across 400 North American domains achieving 99% compliance (up from less than 10%), and response times cut from hours to minutes. His frameworks now serve as playbooks for affiliates and external organizations, earning him IEEE senior membership and recognition from the Advanced Information Technology & Emerging Tech Council (AITEX).
In this exclusive interview, Geol, who earned his bachelor’s degree from Hanyang University, a prestigious research institution recognized as one of South Korea’s top universities in engineering and technology, and consistently ranked in the QS World University Rankings for Engineering and Technology for its academic excellence and industry collaboration, reveals why speed isn’t about human response anymore. Still, he discusses architectural self-protection, how he aligned Korean compliance culture with American flexibility demands, and why by 2030, the best security systems won’t just adopt zero-trust; they’ll eliminate trust as a starting point entirely.
Geol, with the rise of attacks on connected vehicles worldwide, how do you turn that urgency into real architectural changes?
I focus on finding where the biggest risks align with critical business needs. However, one of our early issues was poor security in web applications. For example, more than 400 public-facing domains had less than 10% security compliance. To address this, we overhauled the architecture, set consistent policies, and automated deployments. These changes boosted compliance to 99% and cut down on vulnerable attack points.
In the cloud, we dealt with a similar issue. Visibility was split up and reactive. So, we combined Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP) and then used data from various sources to improve defense. This boosted effectiveness from less than 10% to more than 90%. As a result, we reduced detection and containment from hours to just minutes. That can mean avoiding a global outage by keeping incidents under control.
You’ve handled big incident responses. Can you tell us the one that changed how you approach things, and what architectural lessons you learned?
We once faced a major DDoS attack on our connected mobility systems that millions of users depend on. Before, this kind of attack could have shut down essential services. However, we used our multi-layer defense setup to nip it in the bud. This setup combined scrubbing centres, intrusion prevention, and WAF telemetry into one system, which let us respond in a completely different way. The system spotted unusual traffic patterns on its own, redirected harmful flows earlier in the network, and activated containment plans across different layers. As a result, end users didn’t notice any disruptions. That incident proved an important idea: speed isn’t about how fast people respond anymore; it’s about the ability of the system’s design to protect itself.
Having said that, the automotive world covers IT networks, factories, and connected cars, all with their unique needs. How do you handle something as complex as that?
Many companies usually make the mistake of taking these things as separate areas. That creates blind spots. Be that as it may, I focus on building layers that connect them. These include central systems that process data from IT networks, operational tech, and vehicle components all at once.
Say an issue pops up in the factory’s network. The system can step in and apply isolation rules to stop it from spreading further into vehicle systems. This is a shift from rigid security walls to a flexible containment plan. So, the real problem isn’t complexity itself. It’s when complexity gets out of control. Now, the goal is to make the architecture smart instead of something that creates chaos.
However, to deploy defenses across Korea and the U.S., different approaches to risk needed to align. What strategies helped achieve that?
We used a two-speed rollout model. Korean HQ emphasises strict compliance rules, but U.S. operations value speed and flexibility. So, we rolled out in stages. The first stage gave U.S. teams quick, visible wins, such as automated access controls. The second stage integrated Korea’s compliance rules more into the system design.
We also created “translation layers” like documentation, reporting systems, and shared dashboards. These tools helped business teams understand regulatory metrics and regulators grasp business metrics. This method turned cultural disagreements into shared understanding. So, I would tell any global organization this: designing systems is just as much about structuring organizations as it is about building technology.
Now, your multi-layer defense framework seems to inspire affiliates and is even mentioned in external playbooks. What makes its design work so well for different setups?
There are three key ideas. First, unified telemetry ensures all layers of defense communicate, allowing the system to connect the dots on anomalies. Second, automation-first response lets the system execute playbooks without needing an analyst every time. Third, continuous validation keeps defenses strong by testing them with simulated attacks to ensure they can handle real pressure.
The results speak for themselves: 99% compliance in web apps, over 90% effectiveness in cloud defenses, and no business disruptions even during big incidents. Now, organizations using this framework aren’t just borrowing tools, but they’re embracing a way to build resilience.
Yet, your research on automated incident response and enterprise segmentation has gained international recognition. Can you share an example of how one of those frameworks works in real life?
One of the most significant projects I worked on focused on building a fast-response framework for managing incidents in cloud-native systems. We turned incident response playbooks into templates using Infrastructure-as-Code. This allowed us to act by doing things like isolating workloads or changing access keys, cutting response time down to seconds.
We applied this framework in a financial services organization where manual responses took about 45 minutes. Automation reduced that to less than five minutes, which prevented threats from spreading before they could get worse. It’s a practical example of turning research into results that businesses can measure.
Nonetheless, reviewing projects for events like the Cases & Faces Awards and assessing work at AITEX lets you observe the cybersecurity world from a wider angle. What common errors do you notice, and how do they shape your own views?
The biggest issue I see is designing complex solutions that don’t fit together. Many teams bring exciting new tools but fail to build a unified defense system. Another common issue is ignoring the urgency of detection speed. Companies often spend all their energy on prevention, but they overlook how fast they can address breaches when they happen.
So, recognizing these trends has strengthened my belief that security needs to focus on overall design and reaction speed. It doesn’t matter how many tools you have if they don’t work together in smart and fast ways during critical moments.
Finally, you managed to boost cloud defense from just below 10% to above 90% and stopped massive attacks without disruptions. As we approach 2030, how do those experiences shape your vision of future security systems?
Those situations taught me something important: security can’t be reactive. It needs to predict and sustain itself. By 2030, top organizations will not just adopt zero-trust policies. They will design systems where trust isn’t even a starting point.
Now, we are already testing compliance-as-code in CI/CD pipelines. These pipelines check every deployment against regulatory standards. By the end of the decade, this will no longer feel new; it will just be the norm.
However, the real advancement lies in adaptive, AI-powered defense systems. In 2024, teams needed minutes instead of hours to handle cloud security threats. By 2030, the standard will shrink to seconds. Systems will predict unusual activity before it becomes an issue and act on it without needing someone to intervene.
So, in the next few years, people who see AI as just an add-on tool will fall behind. Those leading the way will rebuild their core systems to accommodate failure and recovery as naturally as uptime. This separates systems that endure from those that break down.
